A systems administrator has implemented PKI on a classified government network. In the event that a disconnect occurs from the primary CA, which of the
following should be accessible locally from every site to ensure users with bad certificates cannot gain access to the network?

A.
A CRL

B.
Make the RA available

C.
A verification authority

D.
A redundant CA

Explanation:
A certificate revocation list (CRL) is created and distributed to all CAs to revoke a certificate or key.
By checking the CRL you can check if a particular certificate has been revoked.
Incorrect Answers:
B: Access to a registration authority (RA) is not required to check for bad certificates. A CRL will do fine.
A registration authority (RA) offloads some of the work from a CA. An RA system operates as a middleman in the process: It can distribute keys, accept
registrations for the CA, and validate identities.
C: A verification authority is used to check the uniqueness of a certificate, not primarily to check for bad certificates.
The user identity must be unique within each CA domain. The third-party validation authority (VA)/verification authority can provide this information on behalf of the
CA. The binding is established through the registration and issuance process.
D: A redundant CA is not required to check for bad certificates. A CRL will do fine.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 262, 279-280, 285